metasploit | 1711490a2dde3cba26dc902a91e2a03fb374d25a293e3e8378a9d880b9db816f

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

492508d4a27f6b3e7ba08b6dbdd42d60.exe
Size

264KB
MD5

492508d4a27f6b3e7ba08b6dbdd42d60
SHA1

3f7e99911d9c4558955b56fa3170fbe8f4844365
SHA256

1711490a2dde3cba26dc902a91e2a03fb374d25a293e3e8378a9d880b9db816f
SHA512

72c5596d4d26f5dd6935d5d1ce755c0c95fc5c63f92a163856b7e519986074a079e1a46accb7d5da28853104f970b9052a5e58db9ac8c0e0d2a96b5c8f1f16e1
SSDEEP

3072:dg+25rRAFXt0lKhJo4eumE5qOhwAtIYLPPZqVRL2kFZ5ni:d2wTovEPtDPoRikFZ5i

Score

10^/10

metasploit backdoor trojan upx

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2424-8-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2424-11-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2424-10-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2424-9-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2424-6-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2424-5-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2424-4-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/2424-2-0x0000000000400000-0x0000000000467000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 2424	2896	492508d4a27f6b3e7ba08b6dbdd42d60.exe	29

Program crash 1 IoCs

pid	pid_target	Process
2776	2424	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2424	2896	492508d4a27f6b3e7ba08b6dbdd42d60.exe	29
PID 2896 wrote to memory of 2424	2896	492508d4a27f6b3e7ba08b6dbdd42d60.exe	29
PID 2896 wrote to memory of 2424	2896	492508d4a27f6b3e7ba08b6dbdd42d60.exe	29
PID 2896 wrote to memory of 2424	2896	492508d4a27f6b3e7ba08b6dbdd42d60.exe	29
PID 2896 wrote to memory of 2424	2896	492508d4a27f6b3e7ba08b6dbdd42d60.exe	29
PID 2896 wrote to memory of 2424	2896	492508d4a27f6b3e7ba08b6dbdd42d60.exe	29
PID 2896 wrote to memory of 2424	2896	492508d4a27f6b3e7ba08b6dbdd42d60.exe	29
PID 2896 wrote to memory of 2424	2896	492508d4a27f6b3e7ba08b6dbdd42d60.exe	29
PID 2424 wrote to memory of 2776	2424	492508d4a27f6b3e7ba08b6dbdd42d60.exe	28
PID 2424 wrote to memory of 2776	2424	492508d4a27f6b3e7ba08b6dbdd42d60.exe	28
PID 2424 wrote to memory of 2776	2424	492508d4a27f6b3e7ba08b6dbdd42d60.exe	28
PID 2424 wrote to memory of 2776	2424	492508d4a27f6b3e7ba08b6dbdd42d60.exe	28

C:\Users\Admin\AppData\Local\Temp\492508d4a27f6b3e7ba08b6dbdd42d60.exe
"C:\Users\Admin\AppData\Local\Temp\492508d4a27f6b3e7ba08b6dbdd42d60.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\492508d4a27f6b3e7ba08b6dbdd42d60.exe
  "C:\Users\Admin\AppData\Local\Temp\492508d4a27f6b3e7ba08b6dbdd42d60.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 140
1⤵
- Program crash
PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2424-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2424-11-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2424-10-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2424-9-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2424-6-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2424-5-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2424-4-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2424-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2424-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download